SQL Server 2008 R2：限制服务器登录以查看服务器上除2个数据库以外的所有数据库

Question

On my server that is hosting SQL Server 2008 R2, I open SSMS and under Security -> Logins there is a login named "SomeLoginName". When I log in to the server with this login, I am able to see all of the databases on the server.

I would like to restrict this user to only see 2 of the databases that are on the server. I've seen some solutions that say to revoke the VIEW ANY DATABASE permission for the login and then add the login as the db_owner for the databases I want "SomeLoginName" to be able to see. I don't want to have "SomeLoginName" as the db_owner for the databases that it is supposed to see.

Is there a way that I can configure "SomeLoginName" to only see 2 databases on the server without "SomeLoginName" being the db_owner for these 2 databases?

Thanks in advance.

Answer 1

Is there a way that I can configure "SomeLoginName" to only see 2 databases on the server without "SomeLoginName" being the db_owner for these 2 databases?

No, as you are on SQL Server 2008 R2 there s no such a way.

Starting with SQL Server 2012 new Contained Databases were introduced.

Here is another useful article SQL Server 2012 Contained Database Feature

While looking through the new features and improvements in SQL Server 2012, we found a potentially interesting feature called Contained Databases. A contained database basically includes all database settings and the metadata within itself thereby resulting in no configuration dependencies on the instance of the SQL Server Database Engine where the database is actually installed. Users will be able to connect to a contained database without authenticating a login at the Database Engine level. This feature really helps to isolate the database from the Database Engine thereby making it possible to easily move the database from one instance of SQL Server to another. In this tip we will take a look at how to configure and use this feature of SQL Server 2012.

When using contained databases you don't need login (security principal at the server level), only user at the database level. It will be a database , not a server , to authenticate your user. And as the consequence, this user will not "see databases" other than the database where it was created.

This user has not to be db_owner , it's an ordinary user with any permissions or even without any permission at all.

Answer 2

Thanks to @sepupic , his/her answer is correct. It turns out that I actually am running MS SQL Server 2012 so I was able to implement the Contained Database concept. The steps listed on the linked pages in @sepupic 's answer didn't work for me though. I found this one and put this script together. Here's what it does:

1. Changes the 'contained database authentication' to 1 for the MS SQL Server instance
2. Runs RECONFIGURE
3. Creates a contained database
4. Creates a user for the database

Here's the script:

USE master;

GO;

EXEC sp_configure 'contained database authentication', 1;

GO;

RECONFIGURE;

GO;

CREATE DATABASE ContainedDB2

CONTAINMENT = PARTIAL;

GO;

USE ContainedDB2;

GO;

CREATE USER cduser2

WITH PASSWORD = N'Pa$$word',

DEFAULT_SCHEMA = dbo;

GO;

Then you just configure the connection to the contained database in the section that begins with

Login and Verify the User Permissions on a Contained Database

Using the script I put together and configuring the connection under the section I mentioned sets it up so you connect to the server with the user that is created and that user can only see the contained database(s) you want it to. You have to configure the user to have permissions like the db role db_datareader in the contained database but instructions on how to do these types of things are easy to come by if you search for them. Thanks again to @sepupic for getting me started on coming up with an answer.